Generation of a secure key exchange authentication response in a computing environment
Abstract
Aspects of the invention include generation of a secure key exchange (SKE) authentication response by a responder node of a computing environment. A computer-implemented method includes receiving an authentication request message at a responder channel on the responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node. A state check is performed based on a security association of the initiator node and the responder node. A validation of the authentication request message is performed. A proposal list of the authentication request message is checked. An authentication response message is built based at least in part on a successful state check, a successful validation, and selecting an encryption algorithm from the proposal list. The authentication response message is sent from the LKM to the responder channel.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer program product for facilitating processing in a computing environment, the computer program product comprising:
a computer readable storage medium readable by one or more processing circuits and storing instructions for performing operations comprising:
receiving an authentication request message at a responder channel on a responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node;
performing a state check based on a security association of the initiator node and the responder node;
performing a validation of the authentication request message;
checking a proposal list of the authentication request message defining one or more encryption algorithms supported by the initiator channel;
building an authentication response message based at least in part on a successful state check, a successful validation, and selecting one of the encryption algorithms from the proposal list; and
sending the authentication response message from the LKM of the responder node to the responder channel of the responder node.
2. The computer program product of claim 1 , wherein the operations further comprise the responder channel sending the authentication response message to the initiator channel.
3. The computer program product of claim 2 , wherein the sending the authentication response message to the initiator channel is via a storage area network (SAN).
4. The computer program product of claim 1 , wherein the authentication response message further comprises a responder signature based at least in part on one or more parameters extracted from a previously received initialization message.
5. The computer program product of claim 4 , wherein the responder signature is based on an initiator nonce, a shared key, a responder identifier, and at least one key from a set of cryptographic keys.
6. The computer program product of claim 1 , wherein the operations further comprise decrypting a payload of the authentication request message, and validation of the authentication request message comprises checking one or more message header parameters and an identifier of the payload based on decrypting the payload.
7. The computer program product of claim 1 , wherein the state check further comprises verifying a security association state of the responder node.
8. The computer program product of claim 1 , wherein the state check further comprises verifying a last received message state and a last sent message state of the LKM.
9. The computer program product of claim 1 , wherein the operations further comprise computing an initiator signature based on a responder nonce, a shared key, an initiator identifier, and at least one key from a set of cryptographic keys and comparing the initiator signature to a signature extracted from the authentication request message as a further validation.
10. The computer program product of claim 1 , wherein the operations further comprise rejecting the authentication request message based on an unsuccessful validation result or determining that none of the encryption algorithms from the proposal list is supported by the responder channel.
11. The computer program product of claim 1 , wherein the LKM executes in a logical partition of a computer system, and the responder node is a host computer or a storage array.
12. The computer program product of claim 1 , wherein the operations further comprise sending an LKM Done message to the responder channel with one or more session keys and an initiator security parameter index (SPI), and a responder SPI to enable encrypted communication between the initiator channel and responder channel using the selected encryption algorithm.
13. The computer program product of claim 1 , wherein the authentication response message is encrypted independent of the proposal list.
14. A computer-implemented method of facilitating processing within a computing environment, the computer-implemented method comprising:
receiving an authentication request message at a responder channel on a responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node;
performing a state check based on a security association of the initiator node and the responder node;
performing a validation of the authentication request message;
checking a proposal list of the authentication request message defining one or more encryption algorithms supported by the initiator channel;
building an authentication response message based at least in part on a successful state check, a successful validation, and selecting one of the encryption algorithms from the proposal list; and
sending the authentication response message from the LKM of the responder node to the responder channel of the responder node.
15. The computer-implemented method of claim 14 , wherein the authentication response message further comprises a responder signature based at least in part on one or more parameters extracted from a previously received initialization message, and the responder signature is based on an initiator nonce, a shared key, a responder identifier, and at least one key from a set of cryptographic keys.
16. The computer-implemented method of claim 14 , further comprising decrypting a payload of the authentication request message, and validation of the authentication request message comprises checking one or more message header parameters and an identifier of the payload based on decrypting the payload, wherein the state check further comprises verifying a security association state of the responder node and verifying a last received message state and a last sent message state of the LKM.
17. The computer-implemented method of claim 14 , further comprising:
computing an initiator signature based on a responder nonce, a shared key, an initiator identifier, and at least one key from a set of cryptographic keys;
comparing the initiator signature to a signature extracted from the authentication request message as a further validation; and
rejecting the authentication request message based on an unsuccessful validation result or determining that none of the encryption algorithms from the proposal list is supported by the responder channel.
18. The computer-implemented method of claim 14 , further comprising:
sending an LKM Done message to the responder channel with one or more session keys and an initiator security parameter index (SPI), and a responder SPI to enable encrypted communication between the initiator channel and responder channel using the selected encryption algorithm, wherein the authentication response message is encrypted independent of the proposal list.
19. A computer system for facilitating processing within a computing environment, the computer system comprising:
a responder node; and
a plurality of channels coupled to the responder node, wherein the computer system is configured to perform operations comprising:
receiving an authentication request message at a responder channel on the responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node;
performing a state check based on a security association of the initiator node and the responder node;
performing a validation of the authentication request message;
checking a proposal list of the authentication request message defining one or more encryption algorithms supported by the initiator channel;
building an authentication response message based at least in part on a successful state check, a successful validation, and selecting one of the encryption algorithms from the proposal list; and
sending the authentication response message from the LKM of the responder node to the responder channel of the responder node.
20. The computer system of claim 19 , wherein the initiator node is a host computer, the responder node is a storage array, and the LKM executes in a logical partition of the storage array.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.